Description
Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.
Published: 2026-04-10
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via index out-of-bounds panic during TPM attestation
Action: Immediate Patch
AI Analysis

Impact

Step CA, an online certificate authority, contains a vulnerability that permits a crafted attestation key certificate with an empty Extended Key Usage extension to trigger an index out‑of‑bounds panic during TPM device attestation. The panic occurs when the code decodes the EKU ASN.1 value and attempts to access the first element of an empty sequence. This flaw is classified as CWE‑129 and results in an application crash, denying certificate issuance services to clients that trigger the attack. The impact is limited to service disruption rather than data theft.

Affected Systems

Affected deployments run smallstep certificates versions 0.24.0 through the last release before 0.30.0‑rc3 and only if the device‑attest‑01 ACME challenge is configured to use TPM attestation. Systems that do not employ TPM attestation are not impacted.

Risk and Exploitability

The CVSS score of 3.7 reflects a low to medium severity focus on denial of service. No EPSS score is available, and the vulnerability is not listed in CISA KEV, indicating no publicly known exploits yet. The attack vector is inferred to be internal or privileged, requiring the ability to supply a crafted AK certificate during a TPM attestation challenge. The fix implemented in 0.30.0‑rc3 removes the bounds check flaw. As the condition is limited to a specific configuration, the likelihood of exploitation without this configuration is very low. Nevertheless, an attacker with access to the attestation path can deliberately disrupt service by repeatedly sending crafted certificates.

Generated by OpenCVE AI on April 10, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade smallstep certificates to 0.30.0-rc3 or later.
  • If an upgrade is not immediately feasible, disable TPM device attestation in the device‑attest‑01 ACME challenge configuration to exclude the vulnerable path.
  • Monitor the CA logs for repeated panic or crash events related to TPM attestation as an early indicator of attempted exploitation.

Generated by OpenCVE AI on April 10, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9qq8-cgcv-qmc9 Step CA affected by an index out of bounds panic in TPM attestation EKU validation
History

Mon, 27 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Smallstep step-ca
CPEs cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:*
cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*
cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:*
Vendors & Products Smallstep step-ca

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Smallstep
Smallstep certificates
Vendors & Products Smallstep
Smallstep certificates

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.
Title Step CA affected by an index out of bounds panic in TPM attestation EKU validation
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Smallstep Certificates Step-ca
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:30:15.176Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40097

cve-icon Vulnrichment

Updated: 2026-04-10T18:30:10.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:12.823

Modified: 2026-04-27T13:40:24.027

Link: CVE-2026-40097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:21Z

Weaknesses